[Samba] I want to use CNAMES for my SAMBA server, how?

Don Meyer dlmeyer at uiuc.edu
Mon Jul 10 23:35:04 GMT 2006

At 03:00 PM 7/10/2006, Gerald (Jerry) Carter wrote:
>Mann, Roy (RGMR) wrote:
> >  I have a RedHat Enterprise 3 server running SAMBA 3.0.10.   The server
> > has been joined to the Active Directory forest using its fully qualified
> > domain name.
> >  Windows clients can successfully map drives using that fully qualified
> > name,  However, services have a tendency to be moved or need failover
> > during maintenance
> >  so I would prefer to tell customers to use a service alias like
> > smbserver3.rest.ofthe.domain.com.  When clients use that alias, I can
> > see attempts at kerberos
> >  authentication in the logs on the SAMBA server using the canonical FQDN
> > so Windows is getting the right address, talking to the right smbd, but
> > authentication fails.
>If you are using CNAMES, add the appropriate servicePrincipalName
>to the machine's object in AD.  Something like adsiedit works well.

Interesting... I never would have gotten here in a month or 
three.   I've been seeing this problem sporadically of late, as 
well.   Months ago, things worked fine without this.

My question though is what are the ramifications of a similar 
situation:   Where the CNAME might be dynamically moved to point to 
another system's base IP address in the case of a transfer of 
service/fail-over.   Does this servicePrincipalName for the FQDN need 
to be deleted and added to the new host's object, or can the same 
servicePrincipalName be added to each machine's object?  -- each 
machine that might be used to host that service address, that is...

The answer to this has ramifications for the way we are implementing 
many other services, and are trying to use the same paradigm under 
Samba.   We define a role IP name (FQDN) for a given service and tie 
it to a particular IP address.   Then pass the IP address around as 
necessary -- the server serving as primary for a given service picks 
up the role address for that service in addition to its configured 
base IP address.   Realistically, client requests are configured to 
employ the defined role FQDN.

I assume the adsiedit utility mentioned is a windows executable and 
must be run at the DC.   If these commands/utilities need to be run 
at the DC each time a service fails over, then this will be a major 
problem.  Is there any functionality that would allow these changes 
to be effected from a Samba-based system, in order to avoid the need 
for commands run at the DC?   (I suppose if the setting(s) could be 
safely preloaded for each server/object that might host a particular 
service address, then this remote capability might not be quite so 

I look forward to any/all input on this scenario...


Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759 

More information about the samba mailing list